In this Tutorial we’re going to configure a Two-Tier Enterprise PKI with Microsoft Server 2019 intended for Lab use. The advantage of a Two-Tier Enterprise PKI Hierarchy is that clients only trust the Root CA. So if a Subordinate server gets compromised the Root CA does not have to be replaced. During normal operation the Root CA will be offline and Certificate requests are handled by the Subordinate CA. The Root CA is a non-domain joined device and will only be turned on issue a certificate for the Subordinate CA or to update the Certificate Revocation List (CRL).

  • Overview

  • Setup Standalone Root CA

  • Setup Enterprise Subordinate CA

  • Setup Group policy

  • Deploy Policy Templates

In this setup we are going to build this Lab setup.

Before you start with this tutorial create the following servers and install them with Microsoft Server 2019. In this tutorial we are only configuring the servers.

ws800

Servername OS Role Notes
DC01 MS Server 2019 Domain Controller
OFFENT-CA01 MS Server 2019 Offline Standalone Root CA non-domain joined
SUBENT-CA02 MS Server 2019 Online Enterprise Subordinate CA Domain joined

Offline Root CA

Setup Offline Root CA

First we will create the CApolicy.inf. This is a configuration file that defines multiple settings that are applied to the root CA certificate and all other certificates issued by the root CA. This file needs to be created before the ADCS is installed on the root CA. For more information about the Syntax go here.

  1. Start Powershell and type the following line and press Enter:
notepad c:\windows\capolicy.inf

ws801

  1. Select yes to create the new file ws802

  2. Because this is a lab setup I will only setup some basic settings for the Root CA. I will configure the following settings:

  • Renewalinformation for the CA certificate.

  • The validity period for the base CRL.

  • Disable the AlternateSignatureAlgorithm

  • Disable the DefaultTemplates, these are not used because this is an offline CA.

For this lab I will use a random generated OID which is based on the Microsoft OID. Because these generated OID may not be unique you should request a private enterprise number at IANA (link). This number can be added to the CAPolicy.inf.

[Version]
Signature="$Windows NT$"

[Certsrv_Server]
RenewalKeyLength=4096 
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=1
AlternateSignatureAlgorithm=0
LoadDefaultTemplates=0

  1. Save the file as capolicy.inf using All files and ANSI Encoding. ws803

  2. Now we the role can be added and configured. Start the Server manager and select Add roles and features ws804

  3. The Add Roles and Features Wizard will start, press Next to continue. ws805

  4. Select Role-based or feature-based installation and press Next ws806

  5. Use the default settings and press Next to continue. ws807

  6. Select Active Directory Certificate Services ws808

  7. A pop-up will appear, press Add Features to continue. ws809

  8. Press Next to continue ws810

  9. Press Next to continue. ws811

  10. Check if the Servername is correct and press Next to continue. ws812

  11. Check if the Servername is correct and press Next to continue. ws813

  12. Press install to add the Active Directory Certificate Services to the server. ws814

  13. When the installation has completed, press the link Configure Active Directory Certificate Services on the destination server ws815

  14. Use the default settings and press Next ws816

  15. Select Certification Authority and press Next ws817

  16. Because this server is non-domain joined only Standalone CA can be selected. Press Next to continue. ws818

  17. As this server is the root of the PKI hierarchy select Root CA and press Next ws819

  18. Select Create a new private key and press Next to continue. ws820

  19. Because this is the Root CA Certificate I use a longer Key length of 4096. This will increase the security. ws821

  20. Use the default settings and press Next to continue. ws822

  21. Because this server will be used in a Test Environment I extend the validity period to 10 years. Press Next to continue. ws823

  22. Use the default settings and press Next to continue. ws824

  23. Press Configure to configure the server. ws825

  24. Press Close to continue. ws826

  25. Press Tools in the Server Manager and select Certification Authority ws827

  26. Right click the Servername and select Properties ws828

  27. Select the Extensions tab ws829

  28. In the Extensions tab select the extension CRL Distribution Point (CDP) and remove all locations except the C:\* Location. ws830

  29. Because this server will be offline it cannot be contacted, therefore a location needs to be added to the subordinate server. Press Add to add the CDP on the Subordinate Server. ws831

  30. Enter the following location and press OK

http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Replace with the dnsname of the Subordinateserver in this demo the location will be:

http://subent-ca02.vmlabblog.com/CertEnroll/%3CCaName%3E%3CCRLNameSuffix%3E%3CDeltaCRLAllowed%3E.crl

ws832

Check the boxes beginning with Include in CRLs* and Include in the CDP* and press Apply ws833

  1. Press No when asked to restart the service. ws834

  2. Select in Select extension the Authority Information Access (AIA) and remove all locations except the C:\* Location. ws835

  3. Press Add to add the AIA location on the Subordinate Server. ws836

  4. Enter the following location and press OK

http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

Replace with the dnsname of the Subordinateserver in this demo the location will be:

http://SUBENT-CA02.vmlabblog.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

ws837

  1. Check the box Include in the AIA extension of issued certificates and press Apply ws838

  2. Press Yes when asked to restart the service. ws839

  3. Select the General and select the Root Certificate and press View Certificate. ws840

  4. Select the tab Details and press Copy to File…. ws841

  5. In the Certificate Export Wizard press Next. ws842

  6. Select DER encoded binary X.509 (.CER) and press Next. ws843

  7. In File name enter C:\Windows\System32\CertSrv\CertEnroll<CA-NAME>-CA.cer and press Next. ws844

  8. Press Finish to export the RootCA Certificate. ws845

  9. A popup will appear when the export was successful, press OK to continue. ws846

The setup of the Offline RootCA is now completed.

Subordinate CA

With the Offline Root CA completed, we can now setup of the Subordinate CA server. This server is authorized by the Root CA to issue the certificates. During the setup the CA role will be added and configured. The server will also be authorized by the Root CA The Subordinate CA Server is the SUBENT-CA02. Make sure that the server Subordinate server is domain joined before you start with the ADCS setup and that you have a domain account which is member of the Enterprise admins group.

Setup Subordinate CA

  1. Start the Server manager and select Add roles and features ws847

  2. The Add Roles and Features Wizard will start, press Next to continue. ws848

  3. Select Role-based or feature-based installation and press Next ws849

  4. Use the default settings and press Next to continue. ws850

  5. Select Active Directory Certificate Services ws851

  6. A pop-up will appear, press Add Features to continue. ws852

  7. Select Web Server (IIS) ws853

  8. A pop-up will appear, press Add Features to continue. ws854

  9. Press Next to continue ws855

  10. Press Next to continue. ws856

  11. Check if the Servername before you start, this cannot be changed after the AD CS role has been installed and press Next to continue ws857

  12. Keep the default role services Certication Authority and press Next ws858

  13. On the Web Server Role (IIS) page press Next ws859

  14. On the Role Services page select Basic Authentication and Windows Authentication. Press Next to continue. ws860

  15. In the confirmation screen press Install to start the installation. ws861

  16. When the installation has completed, press the link Configure Active Directory Certificate Services on the destination server ws862

  17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press Next to continue. ws863

  18. Select the box Certification Authority and press Next to continue. ws864

  19. Select Enterprise CA and press Next to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials entered in step 17) ws865

  20. Select Subordinate CA and press Next to continue. ws866

  21. Select Create a new private key and press Next. ws867

  22. Use the default settings and press Next to continue. ws868

  23. Use the default settings and press Next to continue ws869

  24. Select the folder to save the Certificate Request and press Next to continue. (default is **c:**) ws870

  25. Use the default settings and press Next to continue. ws871

  26. Press Configure to apply the configuration. ws872

  27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained and applied to the subordinate ca the Configuration is not completed. ws873

  28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder c:\windows\system32\certsrv\certenroll. There should be three files, select and copy all files ws874

  29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder c:\windows\system32\certsrv\certenroll. Paste all the files copied in the previous step. ws875

  30. Rightclick the Root CA certificate which you just copied and select Install Certificate ws876

  31. Select Local Machine and press Next ws877

  32. Press Browse and select the Trusted Root Certification Authorities store. Press Next to continue. ws878

  33. Press Finish to continue. ws879

  34. After some time a popup will appear when the import has finished. Press OK to continue ws880

  35. Create a new folder in C:\inetpub\wwwroot with the name CertEnroll ws881

  36. Copy the RootCA Certificate and Certifate Revocation List from C:\Windows\System32\CertSrv\CertEnroll to C:\inetpub\wwwroot\CertEnroll ws882

  37. Browse to the location entered in step 20 (default c:\) and copy the *.Req file to the C: Drive on RootCA server. ws883

  38. On the Root CA Server open Certification Authority rightclick the servername and select All Tasks -> Submit new request… ws884

  39. Browse to the request file on the C: driver and press Open ws885

  40. Select Pending Requests. Rightclick the pending request and select All Tasks -> Issue ws886

  41. Select Issued Certificates. Rightclick the issued certificate and select Open ws887

  42. Select Details and press Copy to file… ws888

  43. Press Next to continue ws889

  44. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and check the box Include all certificates in the certification path if possible. Press Next to continue ws890

  45. Press Browse… ws891

  46. Enter a name for the certificate and press Save (the default location is the Documents folder) ws892

  47. Press Next to continue. ws893

  48. Press Finish to export the CA Certificate. ws894

  49. After some time a popup will appear when the export has finished. Press OK to continue. ws895

  50. Copy the CA Certificate from the RootCA ( step 46) and switch to the subordinate server to paste the file. ws896

  51. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select All Tasks -> Install CA Certificate ws897

  52. Select the copied CA Certificate and press Open ws898

  53. Rightclick the Servername and select All Tasks -> Start Service ws899

Setup Group Policy

The CA Servers are now configured. Now the domain computers/servers need to trust the certificates which are created by the Subordinate Server. This is done by adding the Root CA certificate to the “Trusted Root Certification Authorities” store. The certificate can be added in multiple ways, but the easiest way is by adding it with a Group Policy. In this example a separate policy is created on the Domain Controller in the root of the domain. This is not required but just an example on how it’s possible.

  1. Open Group Policy Management ws900

  2. Expand Group Policy Management > Forest: > Domains and Rightclick your domain. Select Create a GPO in this domain, and link it here… ws901

  3. Enter a name for the policy for example Root CA Distribution policy and press OK ws902

  4. Select the created policy and press Edit ws903

  5. Go to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and Rightclick Trusted Root Certification Authorities and select Import ws904

  6. Press Next to continue ws905

  7. Press Browse ws906

  8. Browse to <subordinate-ca>\c$\inetpub\wwwroot\CertEnroll and select the RootCA certificate. Press Open to continue ws907

  9. Press Next to continue ws908

  10. Use the default settings and press Next ws909

  11. Press Finish to import the Root CA Certificate. ws910

  12. After some time when the import has finished a popup will appear. Press OK to continue ws911 The Root CA Certificate is now distributed to all domain devices.

Deploy Policy Templates

After Setting up an Enterprise CA some Certificate policies are available without additional configuration. In this post I will demonstrate how to add Certificate Template and publish it.

Deploy Policy Templates

  1. On the Subordinate CA start the Certification Authority and select Certificate Templates. In the right pane all the out of the box templates are visible. These can be requested by Users, Computers, etc depending on the type. ws912

  2. To add a new template rightclick Certificat Templates and select Manage ws913

  3. An overview with all available templates will appear. ws914

  4. To avoid editing the original template Right click the template and select Duplicate Template ws915

  5. Give the new template a unique name and press OK ws916

  6. Rightclick Certificat Templates and select New > Certificate Template to Issue ws917

  7. Select in the Enable Certificate Templates list the template which was created and press OK ws918

  8. The certificate is now visible in the Certificate Templates Pane ws919

Test the certificate

  1. Logon to a domain joined computer. Start MMC and select file > Add/Remove Snap-in. ws920

  2. Select the Certificates snap-in and press Add. ws921

  3. Select My user account in the Certificates snap-in popup and press Finish. Press OK to close the snap-in manager. (Only select my user account for user templates, for computer related templates select Computer account) ws922

  4. Right click Personal and select All Tasks > Request New Certificate ws923

  5. Press Next ws924

  6. Press Next (by default Active Directory Enrollment Policy is selected) ws925

  7. In the Request Certificates overview all available user related policy templates are displayed. The created template should appear. Check the box of the created template and press Enroll ws926

  8. The template will be requested. After a while the status should be Succeeded. Press Finish to continue. ws927

  9. The new certificate is now visible. ws928

  10. When you double click the Certificate and select Certification Path you should see the RootCA, SubordinateCA and requested Certificate. All Certificates should be OK

ws929

This was the final post of the Setup Server 2019 Enterprise CA tutorial.